b'NATIONAL CREDIT UNION ADMINISTRATION\n    OFFICE OF INSPECTOR GENERAL\n\n\n     INDEPENDENT EVALUATION OF NCUA\xe2\x80\x99S\n       INFORMATION SECURITY PROGRAM\n                REQUIRED BY\n          GOVERNMENT INFORMATION\n            SECURITY REFORM ACT\n                    2002\n\n      Report #OIG-02-11        September 30, 2002\n\n\n\n\n                Acting Inspector General:\n\n\n\n\n                   Auditor in Charge:\n\x0c NATIONAL CREDIT UNION ADMINISTRATION - OFFICE OF INSPECTOR GENERAL\n INDEPENDENT EVALUATION OF NCUA\xe2\x80\x99S INFORMATION SECURITY PROGRAM -\n                                2002\n\n                              Executive Summary\nThe Government Information Security Reform Act (GISRA) is part of the Defense\nAuthorization Act (Public Law 106-398, Title X, Subtitle G). The law requires each Federal\nagency to develop, implement and review a comprehensive agency-wide security program.\nThe Act pertains to all systems supporting all operations of the agency including those\nsystems currently in place or planned. For some agencies, the Act also extends to\ncontractor systems if they are used by the agency to support operations. The agency\nhead is required to submit an annual report to Congress summarizing the findings/issues\nfound during the year. To accomplish these requirements, the Act requires that agencies\nperform independent internal reviews and security testing.\n\nKey GISRA requirements include:\n\n   \xe2\x80\xa2   An annual independent evaluation of agency information systems security controls.\n   \xe2\x80\xa2   An examination of the adequacy and effectiveness of information security policies,\n       procedures and practices.\n   \xe2\x80\xa2   An assessment of compliance with the requirements of the Act.\n   \xe2\x80\xa2   An annual report submitted to Congress by the agency head summarizing the\n       findings/issues found during the year.\n\nThe information technology infrastructure supporting NCUA\xe2\x80\x99s nineteen mission critical\nsystems is composed of a wide-area network with servers, notebooks and desktop\ncomputers. This infrastructure provides the computing platform for all major business\napplications of NCUA. The platform includes all IT hardware, communications, network\nstorage, central databases and operating systems. Servers are configured with either\nMicrosoft NT or Microsoft Windows 2000 operating systems, and provide a variety of\nservices.\n\nAccording to NCUA\xe2\x80\x99s GISRA 2001 Report, we determined that NCUA was not yet in\ncompliance with GISRA.      The following represented the agency\xe2\x80\x99s status toward\ncompliance with key GISRA provisions as of August 2001:\n\n   \xe2\x80\xa2   NCUA needed to develop an agency-wide security program. NCUA developed a\n       draft security policy that would be incorporated in the security program. However\n       this policy was not approved by the agency head or disseminated to personnel with\n       key responsibilities.\n   \xe2\x80\xa2   NCUA needed to perform risk assessments.\n   \xe2\x80\xa2   NCUA program managers needed to perform periodic management testing of\n       controls and perform their annual program review as required by GISRA.\n\x0c NATIONAL CREDIT UNION ADMINISTRATION - OFFICE OF INSPECTOR GENERAL\n INDEPENDENT EVALUATION OF NCUA\xe2\x80\x99S INFORMATION SECURITY PROGRAM -\n                                2002\n\n   \xe2\x80\xa2   For the reporting cycle, NCUA had provided some security training to personnel\n       with significant security responsibilities, and security awareness training was\n       provided to all employees on a 3-year cycle coinciding with equipment replacement.\n       New examiners were provided with basic computer training, which included security\n       awareness. Contractors and new non-examiner personnel were not provided any\n       security awareness training.\n   \xe2\x80\xa2   NCUA needed to formalize an incident response program.\n   \xe2\x80\xa2   NCUA\xe2\x80\x99s Office of the Chief Information Officer (OCIO) needed to perform the\n       annual security program review required by GISRA.\n   \xe2\x80\xa2   NCUA had not yet determined the resources required to implement the security\n       program and incorporate this program in the budget and strategic planning process.\nDuring the past year, NCUA prepared an overall agency security plan in addition to\nsecurity plans for each mission critical system. NCUA also performed risk assessments\nfor each mission critical system using the National Institute of Standards and Technology\n(NIST) Special Publication 800-26, \xe2\x80\x9cSecurity Self-Assessment Guide for Information\nTechnology Systems.\xe2\x80\x9d\n\nDuring 2002, the Office of Inspector General (OIG) contracted with Urbach Kahn & Werlin,\nLLP SACteam\xe2\x84\xa2, Information Risk Management Services Group (UKW), to evaluate the\nagency- wide plan, as well as each individual system security plan and risk assessment in\ndepth. In addition, implementation of prior security related audit recommendations and the\nagency\xe2\x80\x99s plans of action and milestones were evaluated. Establishing and maintaining\neffective security controls are important responsibilities of the management of the system\nowners and the agency. Effective security controls are essential to achieving the\nrequirements of GISRA. The primary objective of this review was to assess that controls\nthat are required to be established as provided by GISRA and prior promulgation (OMB A-\n130 Appendix III, Computer Security Act of 1987, Clinger-Cohen Act of 1996, the\nPaperwork Reduction Act of 1995, et al.) are in place and operating as designed.\n\nSummary Conclusion\n\nThe NCUA OIG determined that NCUA is actively working towards compliance with\nGISRA. Risk assessments and security plans were completed for all but one of NCUA\xe2\x80\x99s\nmission critical systems. Specifically, a risk assessment and corresponding security plan\nwas not completed for: the General Service Administration (GSA)\xe2\x80\x99s Payroll, Accounting\nand Reporting System (PAR). Subsequent to our review, NCUA contacted GSA and\nperformed a risk assessment and prepared a security plan for PAR. In addition, we noted\nand detailed conditions of risk and made recommendations for improvement relevant to\neach of the applications reviewed. These are detailed in the individual report section and,\nare being addressed by the program officials and Office of the Chief Information Officer\n(OCIO) as required. Each of the items listed in these reports have been discussed with,\nreviewed and concurred by the respective program officials and the Information Security\nOfficer. NCUA management comments are summarized at the end of each individual\n\x0c NATIONAL CREDIT UNION ADMINISTRATION - OFFICE OF INSPECTOR GENERAL\n INDEPENDENT EVALUATION OF NCUA\xe2\x80\x99S INFORMATION SECURITY PROGRAM -\n                                2002\n\nreport section. None of the individual application risk conditions affect the overall\nrecommendation regarding GISRA compliance detailed in the subsequent paragraph.\n\nThe OIG supports reporting NCUA\xe2\x80\x99s GISRA compliance at Level 2 (see page 60). The\nmajority of the critical elements under review are rated at Level 2 (e.g., policies and\nprocedures are in draft format) or Level 3 (e.g., the relevant policies and procedures are\napproved and implemented). A Level 2 or 3 rating is applied to each of the systems\nexcept for PAR, which was discussed in the preceding paragraph. We have applied a\nLevel 0 rating for all of the systems regarding the certification/re-certification and\nauthorization to process within NCUA\xe2\x80\x99s information system architecture.\n\nThe remainder of this report is restricted for Limited Official Use only.\n\x0c'